In August/September 2012, DataMotion conducted a survey of more than 200 IT and business professionals across the United States and Canada to gain insight into corporate email and file transfer (FTP) habits. Respondents held positions in all levels at their organizations, including administrators, managers, directors and executives. Half of respondents were from organizations with more than 500 employees. Industries represented were primarily those with strict regulatory requirements, such as healthcare, financial services and government. Results While some organizations still lack formal security and compliance policies, as well as controls and tools for protecting outbound email and file attachments, the majority, regardless of size or industry, are adopting these practices. 80% of respondents say their organization has policies in place for transferring files securely, with 65.5% giving employees the ability to encrypt their emails. Despite these efforts, non-compliance is still a major issue. In organizations with policies in place for transferring files, more than half of respondents say these are moderately or rarely enforced. 84% say employees occasionally or routinely violate them, and, only 45.5% feel employees fully understand these policies. This implies that either employees don t realize the impact of their actions, or they do understand but choose to violate policies anyway. Either way it s not good news. More education and training can help employees that don t understand. And for those that knowingly violate perhaps the security solutions need to be easier to use.
The issues were not only due to employees being unaware of or ignoring policies. Even more telling, when asked about their confidence in the technology for filtering outbound email and files for compliance, more than 46% have only partial or no confidence in the technology their company uses for outbound filtering. And, only 37.5% are very confident their company would pass a compliance audit. Given that these technologies have been around a while, this suggests that there is room for improvement in the technology itself, and/or how it is implemented. A significant percentage of respondents indicate their organizations still do not encrypt their email messages. More than a third say employees do not have the ability to encrypt email, and 28.9% say their email content is not monitored for compliance. These organizations could potentially save money by using email encryption versus using expensive overnight couriers or registered mail. And if they are allowing sensitive data to be sent using unencrypted email, they are unnecessarily exposing their organization to the risk of a data breach and fines for non-compliance. In fact, more than 30% of respondents say their company knowingly takes risks because they lack the resources to fully comply with regulations. And, nearly 40% do not think it likely they would be selected for a compliance audit. This suggests that a number of organizations erroneously believe that the costs associated with a data breach are less than the costs to proactively protect email and files in transit. Unfortunately, we have found that when it comes to calculating the cost of a breach, organizations often neglect to include potential litigation costs, remediation expenses, legal fees, and reputation damage.
The survey also revealed that consumer-type file transfer services are posing a threat to organizations. These applications for sharing files often have weak security and IT administrative controls, leading to potential data leakage if used in the workplace. Despite this, more than a third of respondents have used, or recommended that others use, free consumer-type file transfer services such as YouSendIt, Dropbox, icloud, etc. for work purposes. Furthermore, 43.4% state their company does not forbid the use of these, with more than 50% saying their organization does not block the URLs to free consumer-type file transfer services. Conclusion Organizations generally fall into one of three categories when it comes to secure corporate email and file transfer practices. There are organizations who have solid policies and practices in place. There are those who have taken some steps but need to do more when it comes to enforcing policies, educating users, and providing tools that are effective and simple to use. Finally, there appears to be a startling number of organizations neglecting security practices and believing they can fly under the radar of regulators when it comes to compliance. With the availability of newer, cost effective encryption solutions via software or as a cloud service organizations no longer need to roll the dice when it comes to compliance. The risk and potential damage is too costly, and far outweighs the cost and effort to implement the proper tools to ensure compliance.
Appendix Survey questions and answer detail 1. What is your primary job title or function? 2. How many employees are in your organization? 3. Which of the following best describes your organization s primary business or industry?
4. Does your company have security and compliance policies for transferring files electronically? 5. How aggressively are these policies enforced?
6. Is there a formal process for updating and communicating these policies to employees? 7. Do you think employees/co-workers understand these policies? 8. How often do you feel employees/co-workers violate these policies? 9. Have you ever violated these policies?
10. Have you used, or recommend that others use free consumer-type file transfer services like Dropbox, YouSendIt, icloud, etc. for work purposes? 11. Does your company forbid the use of free consumer-type file transfer services like Dropbox, YouSendIt, icloud, etc.?
12. Does your company block the URLs for YouSendIt, Dropbox, icloud and other consumertype file transfer services? 13. Do your employees/co-workers have the capability to encrypt email? 14. Does your company monitor the content of outbound email and file attachments for compliance purposes?
15. How confident are you in the technology your company uses for filtering outbound email and file attachments for compliance purposes? 16. Does your company make compliance trade-offs in order to reduce policy-based email encryption false positives? 17. Do your employees have a single tool for securely encrypting sensitive email and transferring files?
18. How important would it be for you to have centralized auditing, tracking and reporting for your outbound encrypted email and file transfers? 19. How likely do you think it is that your company will be selected for a compliance audit in the next 12 months? 20. If your company was selected for such an audit, how confident are you that it would pass?
21. Which best describes your company s approach to compliance? ABOUT DATAMOTION DataMotion enables organizations to dramatically reduce the cost and complexity of delivering electronic information to employees, customers and partners in a secure and compliant way. The company s core DataMotion Platform solves a broad range of business issues by providing a secure data delivery hub. The company s easy-to-use solutions for secure email, file transfer, forms processing and customer contact leverage the DataMotion Platform for unified data delivery.. Millions of users worldwide rely on DataMotion to transparently improve business processes and reduce costs, while mitigating security and compliance risk. DataMotion is privately held and based in Morristown, N.J.